Server-Side Template Injection Vulnerability in Chat Template Processing
A Server-Side Template Injection (SSTI) vulnerability was identified in the `hf_chat_template` method of the berriai/litellm application, specifically through the `/completions` endpoint. This vulnerability affects versions up to 1.23.2 and was patched in version 1.34.42. It allows attackers to execute arbitrary code on the server by manipulating the `chat_template` parameter.
Available publicly on Mar 25 2024
Threat Overview
The vulnerability stems from the application's handling of the chat_template
parameter, which is processed by the Jinja template engine. By crafting a malicious tokenizer_config.json
file and using it in conjunction with the /completions
endpoint, attackers can exploit the application to execute arbitrary code. This is achieved by injecting template syntax to manipulate the Jinja environment, ultimately leading to the execution of system commands.
Attack Scenario
An attacker starts by creating a malicious Hugging Face model with a specially crafted tokenizer_config.json
file that includes a payload exploiting the SSTI vulnerability. The attacker then sends a request to the /completions
endpoint of the vulnerable application, specifying their malicious model. The application processes the request, leading to the execution of the attacker's payload and potentially compromising the server.
Who is affected
Any instance of the berriai/litellm application up to version 1.23.2 that exposes the /completions
endpoint is vulnerable to this attack. This includes servers hosting the application and potentially allows attackers to gain control over these systems.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.